Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

["Jon Shallow" <supjps-ietf@jpshallow.com>]

Hi Tiru,

 

I believe that we are getting towards closure on this one.

 

See inline Jon>

 

Regards

 

Jon

 

From: Dots [mailto:ietf-supjps-dots-bounces@ietf.org] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 07 September 2018 06:40
To: Jon Shallow; dots@ietf.org; Mortensen, Andrew
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 

Hi Jon,

 

Please see inline

 

From: Jon Shallow <supjps-ietf@jpshallow.com> 
Sent: Thursday, September 6, 2018 8:16 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; dots@ietf.org; Mortensen, Andrew <amortensen@arbor.net>
Subject: RE: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

  _____  

Hi Tiru,

 

I guess I may be missing something here, but whatever is decided needs to go into either the data channel draft, or requirements draft for clarity on how to handle direct configuration or data channel configuration.

 

[TR] I guess it’s too late to modify the requirements draft, but we can update the data channel draft. We can add the following lines:

 

DOTS server MUST not enable both DOTS data channel and direct configuration to avoid race conditions, inconsistent configurations arising from simultaneous updates from multiple sources. DOTS agents SHOULD use DOTS data channel and only use direct configuration as a stop-gap mechanism to test the DOTS signal channel with aliases. In addition, direct configuration SHOULD only be used when all the DOTS agents are within the same domain. If the DOTS server has enabled direction configuration,

Jon> “direct configuration”, not “direction configuration”

it can reject DOTS channel connection using hard ICMP error [RFC1122].  To interfere with the DOTS data channel, an attacker might send an ICMP error message towards the DOTS client.  The counter-measures discussed in [RFC5927] can be used to guard against ICMP attacks.

Jon> ICMP is a bad mechanism to use – it can be blocked by firewalls, not easy to access in an application on a TCP connection, difficult to pass through a DOTS gateway etc.  If the server is not accepting connections, then a TCP RST is passed back – much simpler to handle.  So, for me, a better text could be

it can reject the DOTS channel connection by not listening on the data channel port, or by sending back a 503 status code.

 

If we shut down the use of the Data Channel as the DOTS server is only supporting direct configurations, then this will be for both the Alias and ACL definitions.

 

[TR] Yes, and direct configuration is not the recommended approach. It’s just a stop-gap mechanism to test DOTS signal channel without data channel. 

 

This violates, for instance

   DATA-004  Black- and whitelist management: DOTS servers MUST provide

      methods for DOTS clients to manage black- and white-lists of

      traffic destined for resources belonging to a client.

and potentially (depending on what you understand ‘interface’ as meaning)

   DATA-003  Resource Configuration: To help meet the general and signal

      channel requirements in Section 2.1 and Section 2.2, DOTS server

      implementations MUST provide an interface to configure resource

      identifiers, as described in SIG-007.  DOTS server implementations

      MAY expose additional configurability

 

[By the way DATA-003 refers to SIG-007 – which should be SIG-008 – needs correcting]

 

[TR] Yes, will fix in the next revision. 

 

Being selective on whether it is Alias or ACL before generating a TLS fatal alert is messy and not very clean.  Fatal alerts are usually used during session setup, I can’t immediately find a suitable fatal alert to use – and whatever it is would need to be defined in the data channel.

 

Also, propagating a TLS fatal Alert through a DOTS gateway could be interesting – especially as the downstream hop has to establish TLS to find out what to do before making the ongoing connection to the upstream DOTS agent.

 

[TR] If a server enables direct configuration as a stop gap, I don’t see a point running the server just to return errors, ICMP error should suffice. 

Jon> Again, it would be a RST, not ICMP if the server was not running / listening on the port in question.

 

Again, an additional ro YANG field such as “permanent”: true, or perhaps “directly-configured”: true for the Alias and ACL would be sufficient here for the DOTS client to work out what is going on.  Is there any reason as to why this should not be done?

 

[TR] I don’t think it’s a good idea to enhance the YANG module to convey/modify direction configuration, I don’t see any such provision and discussion in NETFCONF and RESTCONF. 

Jon> OK.  The TCP RST (or perhaps 503 response) works for me.

~Jon

-Tiru

 

Regards

 

Jon

 

From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 06 September 2018 15:05
To: Jon Shallow; dots@ietf.org; Mortensen, Andrew
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 

Hi Jon,

 

If the ultimate DOTS server supports only direct configuration, it should reject the DOTS data channel connection from the DOTS client, for example appropriate error response code (e.g. TLS fatal alert) can be returned.  The error returned by the ultimate DOTS server can be propagated by the DOTS gateway to the DOTS client. DOTS client will eventually have to rely on direct configuration. 

 

-Tiru

 

From: Jon Shallow <supjps-ietf@jpshallow.com> 
Sent: Thursday, September 6, 2018 5:43 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; dots@ietf.org; Mortensen, Andrew <amortensen@arbor.net>
Subject: RE: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

  _____  

Hi Tiru,

 

Yes, only one or the other method (data channel v direct) should be used.

 

However, both the DOTS client and DOTS server need to be configured that this is the way to do it, but then if the DOTS server is actually is a DOTS gateway, then the upstream (ultimate) DOTS server (which could be in the same domain or not) needs to be configured in the same way as the initial DOTS client.  A recipe for misconfiguration and confusion.

 

The DOTS client needs to be told by the (ultimate) DOTS server which method is being used / supported, and this can be in the response code (or embedded in the response message) when the client (due to misconfiguration) does an unexpected DELETE or PUT.  It could be in the GET response where the alias is marked as ‘permanent’.  

 

Regards

 

Jon

 

From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 06 September 2018 11:26
To: Jon Shallow; dots@ietf.org; Mortensen, Andrew
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 

Hi Jon,

 

I thought we agreed direct configuration and DOTS data channel are mutually exclusive. If a client uses DOTS data channel, it must not perform direct configuration and vice-versa. 

 

Cheers,

-Tiru

 

From: Dots <dots-bounces@ietf.org> On Behalf Of Jon Shallow
Sent: Thursday, September 6, 2018 2:39 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; dots@ietf.org; Mortensen, Andrew <amortensen@arbor.net>
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

  _____  

Hi Tiru,

 

If that is the case (and I do not disagree with what you have said – I think it is the right thing to do to support direct configuration), then we go back to the original question (with manual replaced by direct)

 

How does the DOTS client know that it is trying to delete an alias that was directly configured?

 

This then leads to another question.  What happens if the DOTS client tries to PUT update a direct configuration?

 

Two use cases for consideration.

 

First, the direct configuration specifies the CUID.

 

Second, the direct configuration is CUID agnostic and applies to all DOTS clients.

[The PUT could create an alias+CUID which takes precedence over direct-alias]

 

Regards

 

Jon

 

From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 06 September 2018 09:52
To: Jon Shallow; dots@ietf.org; Mortensen, Andrew
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 

Hi Jon,

 

Direct configuration is possible when the DOTS client and server are in the same domain.

 

-Tiru

 

From: Jon Shallow <supjps-ietf@jpshallow.com> 
Sent: Wednesday, September 5, 2018 7:28 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; dots@ietf.org; Mortensen, Andrew <amortensen@arbor.net>
Subject: RE: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

  _____  

Hi Tiru,

 

I guess I missed / don’t currently recall that WG discussion (but can see the merit in having a standard set of aliases available to the DOTS clients which are just configured on the DOTS server).  I am trying to think of how the DOTS client configures directly without the data channel, but am failing to come up with how to do that without, say,  the operator doing it directly on the DOTS server.  “or other means” gets even more confusing.

 

I agree that directly/data channel methods are potentially mutually exclusive, but then the DOTS client/DOTS server need to negotiate which exclusive method to use…

 

It may just be simpler to drop a small amount of text.

 

Regards

 

Jon

 

From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 05 September 2018 14:44
To: Jon Shallow; dots@ietf.org; Mortensen, Andrew
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 

We meant DOTS client either uses data channel or direct configuration to create the aliases but not use both. It was discussed in the WG sometime back that DOTS client may or may not use DOTS data channel to create aliases and hence direct configuration got added but both modes are mutually exclusive. 

 

-Tiru

 

From: Jon Shallow <supjps-ietf@jpshallow.com> 
Sent: Wednesday, September 5, 2018 6:49 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; dots@ietf.org; Mortensen, Andrew <amortensen@arbor.net>
Subject: RE: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

  _____  

Hi Tiru,

 

I meant the draft requirements document (and for some reason looking at an old draft (not the -15 version )) – I guess that this text needs to get updated then to remove the possibility of manual / direct configurations.

 

SIG-008

….

Old

      DOTS agents MUST support mitigation scope aliases, allowing DOTS

      client and server to refer to collections of protected resources

      by an opaque identifier created through the data channel, direct

      configuration, or other means.

 

SIG-008

….

New:

      DOTS agents MUST support mitigation scope aliases, allowing DOTS

      clients and servers to refer to collections of protected resources

      by an opaque identifier created through the data channel.

 

Regards

 

Jon

 

From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 05 September 2018 14:01
To: Jon Shallow; dots@ietf.org
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 

Hi Jon,

 

It looks like an oversight to me. If multiple modes of configuration is supported for aliases, it’s a troubleshooting nightmare, could lead to race condition and inconsistent configuration, and as you know one the goals of DOTS is to avoid manual configuration. 

 

-Tiru

 

From: Jon Shallow <supjps-ietf@jpshallow.com> 
Sent: Wednesday, September 5, 2018 5:35 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; dots@ietf.org
Subject: RE: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

  _____  

Hi Tiru,

 

Unfortunately, manual / direct configuration is supported in the architecture draft, so cannot just be avoided.  

 

SIG-007

….

      DOTS agents MUST support mitigation scope aliases, allowing DOTS

      client and server to refer to collections of protected resources

      by an opaque identifier created through the data channel, direct

      configuration, or other means.

 

I agree with there being potential confusion when things are configured in multiple places, and troubleshooting  can get complicated.

 

I think we need a way of reflecting back to the DOTS client what is happening.

 

Regards

 

Jon

 

From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 05 September 2018 11:38
To: Jon Shallow; dots@ietf.org
Subject: Re: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 

Manual configuration creates conflicts with the DOTS protocols (just like the conflicts network devices would face if configured using both SDN and manual configuration) and I guess should be avoided.

 

-Tiru

 

From: Dots <dots-bounces@ietf.org> On Behalf Of Jon Shallow
Sent: Wednesday, September 5, 2018 3:57 PM
To: dots@ietf.org
Subject: [Dots] Data Channel - Deletion of Aliases when manually configured on DOTS Server

 


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

  _____  

Hi There,

 

When there is a manual configuration on the DOTS server of an alias by an operator, not created by the DOTS client, what should happen if the DOTS client tries to delete the alias?

 

The DOTS client will see the alias in a GET request for all aliases (as it is entitled to use it)

 

Returning a 404 (Not Found) could be confusing

 

Returning a 204 (No Content) is not right as it has not been deleted per se.

 

Should the alias in the GET response be marked as permanent (or some equivalent)?

 

The same is true for ACLs

 

Regards

 

Jon